diff --git a/README.md b/README.md
index b1a006309..0ef057a6f 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
Best Practices for Kubernetes Workload Configuration
-
+
diff --git a/checks/multipleReplicasForDeployment.yaml b/checks/deploymentMissingReplicas.yaml
similarity index 100%
rename from checks/multipleReplicasForDeployment.yaml
rename to checks/deploymentMissingReplicas.yaml
diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml
index aba6d8d17..6cb35b3e6 100644
--- a/deploy/dashboard.yaml
+++ b/deploy/dashboard.yaml
@@ -102,7 +102,7 @@ metadata:
app: polaris
component: dashboard
spec:
- replicas: 1
+ replicas: 2
selector:
matchLabels:
app: polaris
@@ -119,7 +119,7 @@ spec:
- dashboard
- --port
- "8080"
- image: 'quay.io/fairwinds/polaris:4.2'
+ image: 'quay.io/fairwinds/polaris:5.0'
imagePullPolicy: 'Always'
name: dashboard
ports:
diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml
index 95fa1a9e4..c894b93b5 100644
--- a/deploy/webhook.yaml
+++ b/deploy/webhook.yaml
@@ -101,7 +101,7 @@ metadata:
app: polaris
component: webhook
spec:
- replicas: 1
+ replicas: 2
selector:
matchLabels:
app: polaris
@@ -117,7 +117,7 @@ spec:
command:
- polaris
- webhook
- image: 'quay.io/fairwinds/polaris:4.2'
+ image: 'quay.io/fairwinds/polaris:5.0'
imagePullPolicy: 'Always'
ports:
- containerPort: 9876
diff --git a/docs/changelog.md b/docs/changelog.md
index af3510afa..4fbb338a3 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -5,6 +5,10 @@ meta:
content: "Fairwinds Polaris | Changelog"
---
+## 5.0.0
+* Renamed `multipleReplicasForDeployment` to `deploymentMissingReplicas`
+* Changed `RunAsRootAllowed` and `hostNetworkSet` default severity to `danger`
+* Changed `deploymentMissingReplicas` default severity to `warning`
## 4.2.0
* New flags `--disallow-(config|annotation)-exemptions`
diff --git a/docs/checks/reliability.md b/docs/checks/reliability.md
index ac1cd23a2..554337deb 100644
--- a/docs/checks/reliability.md
+++ b/docs/checks/reliability.md
@@ -15,7 +15,7 @@ key | default | description
`tagNotSpecified` | `danger` | Fails when an image tag is either not specified or `latest`.
`pullPolicyNotAlways` | `warning` | Fails when an image pull policy is not `always`.
`priorityClassNotSet` | `ignore` | Fails when a priorityClassName is not set for a pod.
-`multipleReplicasForDeployment` | `ignore` | Fails when there is only one replica for a deployment.
+`deploymentMissingReplicas` | `warning` | Fails when there is only one replica for a deployment.
`missingPodDisruptionBudget` | `ignore`
## Background
diff --git a/docs/infrastructure-as-code.md b/docs/infrastructure-as-code.md
index 8309d8b91..af96db210 100644
--- a/docs/infrastructure-as-code.md
+++ b/docs/infrastructure-as-code.md
@@ -90,7 +90,7 @@ The version number of the release tag.
```yaml
uses: fairwindsops/polaris/.github/actions/setup-polaris@master
with:
- version: 4.2.0
+ version: 5.0.0
```
Example inside a job:
@@ -101,7 +101,7 @@ steps:
- name: Setup polaris
uses: fairwindsops/polaris/.github/actions/setup-polaris@master
with:
- version: 4.2.0
+ version: 5.0.0
- name: Use command
run: polaris version
diff --git a/examples/config-full.yaml b/examples/config-full.yaml
index fa4892beb..e050d0a61 100644
--- a/examples/config-full.yaml
+++ b/examples/config-full.yaml
@@ -1,6 +1,6 @@
checks:
# reliability
- multipleReplicasForDeployment: warning
+ deploymentMissingReplicas: warning
priorityClassNotSet: warning
tagNotSpecified: danger
pullPolicyNotAlways: warning
@@ -16,11 +16,11 @@ checks:
hostPIDSet: danger
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
- runAsRootAllowed: warning
+ runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
insecureCapabilities: warning
- hostNetworkSet: warning
+ hostNetworkSet: danger
hostPortSet: warning
# custom
resourceLimits: warning
diff --git a/examples/config.yaml b/examples/config.yaml
index 87997f2a4..9b5a3af30 100644
--- a/examples/config.yaml
+++ b/examples/config.yaml
@@ -1,6 +1,6 @@
checks:
# reliability
- multipleReplicasForDeployment: ignore
+ deploymentMissingReplicas: warning
priorityClassNotSet: ignore
tagNotSpecified: danger
pullPolicyNotAlways: warning
@@ -20,11 +20,11 @@ checks:
hostPIDSet: danger
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
- runAsRootAllowed: warning
+ runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
insecureCapabilities: warning
- hostNetworkSet: warning
+ hostNetworkSet: danger
hostPortSet: warning
tlsSettingsMissing: warning
diff --git a/main.go b/main.go
index 3ec891414..12c681396 100644
--- a/main.go
+++ b/main.go
@@ -20,7 +20,7 @@ import (
const (
// Version represents the current release version of Polaris
- Version = "4.2.0"
+ Version = "5.0.0"
)
func main() {
diff --git a/pkg/config/checks.go b/pkg/config/checks.go
index 5258401df..767b9a7a6 100644
--- a/pkg/config/checks.go
+++ b/pkg/config/checks.go
@@ -13,7 +13,7 @@ var (
// tests as we migrate toward JSON schema
checkOrder = []string{
// Controller Checks
- "multipleReplicasForDeployment",
+ "deploymentMissingReplicas",
// Pod checks
"hostIPCSet",
"hostPIDSet",
diff --git a/pkg/config/exemptions_test.go b/pkg/config/exemptions_test.go
index 6ac0e3d88..bdc235675 100644
--- a/pkg/config/exemptions_test.go
+++ b/pkg/config/exemptions_test.go
@@ -25,40 +25,40 @@ import (
var confContainerTest = `
checks:
- multipleReplicasForDeployment: warning
+ deploymentMissingReplicas: warning
priorityClassNotSet: warning
pullPolicyNotAlways: warning
exemptions:
- namespace: prometheus
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- controllerNames:
- controller2
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- namespace: kube-system
controllerNames:
- controller3
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- containerNames:
- container41
- container42
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- namespace: kube-system
containerNames:
- container51
- container52
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- controllerNames:
- controller6
containerNames:
- container61
- container62
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- namespace: kube-system
controllerNames:
- controller7
@@ -66,7 +66,7 @@ exemptions:
- container71
- container72
rules:
- - multipleReplicasForDeployment
+ - deploymentMissingReplicas
- priorityClassNotSet
- namespace: polaris
`
@@ -86,22 +86,22 @@ func TestNamespaceExemptionForSpecifiedRules(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("prometheus", ""), "")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("prometheus", ""), "")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("prometheus", "controller1"), "container11")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("prometheus", "controller1"), "container11")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("prometheus", ""), "container11")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("prometheus", ""), "container11")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("prometheus", "controller1"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("prometheus", "controller1"), "")
assert.False(t, actionable)
actionable = parsedConf.IsActionable("pullPolicyNotAlways", createMeta("prometheus", "controller1"), "")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", ""), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", ""), "")
assert.True(t, actionable)
}
@@ -109,16 +109,16 @@ func TestNamespaceExemptionForAllRules(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("polaris", ""), "")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("polaris", ""), "")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("polaris", "controller1"), "container11")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("polaris", "controller1"), "container11")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("polaris", ""), "container11")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("polaris", ""), "container11")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("polaris", "controller1"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("polaris", "controller1"), "")
assert.False(t, actionable)
actionable = parsedConf.IsActionable("pullPolicyNotAlways", createMeta("polaris", "controller1"), "")
@@ -129,28 +129,28 @@ func TestControllerExemption(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller2"), "")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller2"), "")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller2"), "container21")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller2"), "container21")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("prometheus", "controller2"), "container21")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("prometheus", "controller2"), "container21")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("prometheus", "controller2"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("prometheus", "controller2"), "")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller3"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller3"), "")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller3"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller3"), "")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller3"), "container31")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller3"), "container31")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller4"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller4"), "")
assert.True(t, actionable)
}
@@ -158,22 +158,22 @@ func TestOnlyContainerExemption(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", ""), "container41")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", ""), "container41")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", ""), "container42")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", ""), "container42")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller4"), "container41")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller4"), "container41")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", ""), "container41")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", ""), "container41")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller4"), "container41")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller4"), "container41")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", ""), "container51")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", ""), "container51")
assert.True(t, actionable)
}
@@ -181,25 +181,25 @@ func TestNamespaceAndContainerExemption(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", ""), "container51")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", ""), "container51")
assert.False(t, actionable)
actionable = parsedConf.IsActionable("priorityClassNotSet", createMeta("kube-system", ""), "container51")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller5"), "container51")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller5"), "container51")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller5"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller5"), "")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("insights-agent", ""), "container51")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("insights-agent", ""), "container51")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", ""), "container51")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", ""), "container51")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller5"), "container51")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller5"), "container51")
assert.True(t, actionable)
}
@@ -207,25 +207,25 @@ func TestControllerAndContainerExemption(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller6"), "container61")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller6"), "container61")
assert.False(t, actionable)
actionable = parsedConf.IsActionable("priorityClassNotSet", createMeta("", "controller6"), "container61")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller6"), "container61")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller6"), "container61")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller6"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller6"), "")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller7"), "container61")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller7"), "container61")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", ""), "container61")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", ""), "container61")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", ""), "container61")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", ""), "container61")
assert.True(t, actionable)
}
@@ -233,28 +233,28 @@ func TestContainerExemption(t *testing.T) {
parsedConf, err := Parse([]byte(confContainerTest))
assert.NoError(t, err)
- actionable := parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", ""), "container71")
+ actionable := parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", ""), "container71")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", ""), "container71")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", ""), "container71")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("", "controller7"), "container71")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("", "controller7"), "container71")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller7"), "")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller7"), "")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller7"), "container71")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller7"), "container71")
assert.False(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("insights-agent", "controller7"), "container71")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("insights-agent", "controller7"), "container71")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller6"), "container71")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller6"), "container71")
assert.True(t, actionable)
- actionable = parsedConf.IsActionable("multipleReplicasForDeployment", createMeta("kube-system", "controller7"), "container61")
+ actionable = parsedConf.IsActionable("deploymentMissingReplicas", createMeta("kube-system", "controller7"), "container61")
assert.True(t, actionable)
actionable = parsedConf.IsActionable("priorityClassNotSet", createMeta("kube-system", "controller7"), "container71")
diff --git a/pkg/validator/controller_test.go b/pkg/validator/controller_test.go
index eb37bbf62..b03585451 100644
--- a/pkg/validator/controller_test.go
+++ b/pkg/validator/controller_test.go
@@ -64,11 +64,11 @@ func TestControllerLevelChecks(t *testing.T) {
testResources := func(res *kube.ResourceProvider) {
c := conf.Configuration{
Checks: map[string]conf.Severity{
- "multipleReplicasForDeployment": conf.SeverityDanger,
+ "deploymentMissingReplicas": conf.SeverityDanger,
},
}
expectedResult := ResultMessage{
- ID: "multipleReplicasForDeployment",
+ ID: "deploymentMissingReplicas",
Severity: "danger",
Category: "Reliability",
}
@@ -85,7 +85,7 @@ func TestControllerLevelChecks(t *testing.T) {
expectedResult.Message = "Only one replica is scheduled"
}
expectedResults := ResultSet{
- "multipleReplicasForDeployment": expectedResult,
+ "deploymentMissingReplicas": expectedResult,
}
assert.Equal(t, "Deployment", actualResult.Kind)
diff --git a/test/checks/multipleReplicasForDeployment/failure.yaml b/test/checks/deploymentMissingReplicas/failure.yaml
similarity index 100%
rename from test/checks/multipleReplicasForDeployment/failure.yaml
rename to test/checks/deploymentMissingReplicas/failure.yaml
diff --git a/test/checks/multipleReplicasForDeployment/success.yaml b/test/checks/deploymentMissingReplicas/success.yaml
similarity index 100%
rename from test/checks/multipleReplicasForDeployment/success.yaml
rename to test/checks/deploymentMissingReplicas/success.yaml